Merge pull request #267 from muvaf/uxp-1.3.3-up.1

Add universal-crossplane 1.3.3001
pull/288/head
Samuel Attwood 2021-12-06 13:03:25 -05:00 committed by GitHub
commit d9d234d93f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
50 changed files with 2201 additions and 5 deletions

View File

@ -0,0 +1,21 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj

View File

@ -0,0 +1,40 @@
annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: Upbound Universal Crossplane
catalog.cattle.io/release-name: universal-crossplane
apiVersion: v1
appVersion: 1.3.3001
description: Upbound Universal Crossplane (UXP) is Upbound's official enterprise-grade
distribution of Crossplane.
home: https://upbound.io
icon: https://raw.githubusercontent.com/upbound/universal-crossplane/66ce9eb2c5a0c3af8ed7d19551a2c4d743b933b9/docs/media/logo.png
keywords:
- cloud
- infrastructure
- services
- application
- database
- cache
- bucket
- infra
- app
- ops
- oam
- gcp
- azure
- aws
- alibaba
- cloudsql
- rds
- s3
- azuredatabase
- asparadb
- gke
- aks
- eks
kubeVersion: '>= 1.15'
maintainers:
- email: info@upbound.io
name: Upbound Inc.
name: universal-crossplane
version: 1.3.300101

View File

@ -0,0 +1,36 @@
# Upbound Universal Crossplane (UXP)
Upbound Universal Crossplane (UXP) is [Upbound's](https://upbound.io) official enterprise-grade distribution of [Crossplane](https://crossplane.io). It's fully compatible with upstream Crossplane, [open source](https://github.com/upbound/universal-crossplane), capable of connecting to [Upbound Cloud](https://cloud.upbound.io) for real-time dashboard visibility, and maintained by Upbound. It's the easiest way for both individual community members and enterprises to build their production control planes.
## Connecting to Upbound Cloud
You can optionally connect your Universal Crossplane instance to Upbound Cloud.
Follow the steps below to connect your Universal Crossplane cluster to your Upbound Cloud Console.
1. Install Upbound CLI
You will need to make sure you have the Upbound CLI installed before you continue. If you need more information on how to install the Upbound CLI, you can read the [Installing Upbound CLI Documentation](https://cloud.upbound.io/docs/cli).
```
curl -sL https://cli.upbound.io | sh
```
2. Log in to Upbound Cloud
```
up cloud login --profile=rancher --account=$UPBOUND_ACCOUNT
```
Or, to log in using an Upbound [API token](https://cloud.upbound.io/account/settings/tokens):
```
up cloud login --profile=rancher --account=$UPBOUND_ACCOUNT --token=$API_TOKEN
```
3. Create a Self-Hosted Control Plane
```
up cloud controlplane attach $CONTROL_PLANE_NAME --profile=rancher
```
4. Provide the token obtained in the previous step as `upbound.controlPlane.token` under `Upbound Cloud` section

View File

@ -0,0 +1,184 @@
questions:
# Upbound Cloud configuration
- variable: upbound.controlPlane.token
label: upbound.controlPlane.token
required: false
type: password
description: Token used to connect Upbound Cloud
group: "Upbound Cloud"
- variable: upbound.controlPlane.permission
label: upbound.controlPlane.permission
required: false
type: enum
default: "edit"
options:
- "edit"
- "view"
description: Cluster permissions for Upbound Cloud
group: "Upbound Cloud"
# Basic Crossplane configuration
- variable: replicas
label: replicas
description: Number of replicas to run for Crossplane pods
type: int
default: 1
required: true
group: "Crossplane"
# Advanced Crossplane configuration
- variable: advancedCrossplaneConfiguration
description: View advanced configuration settings
label: View advanced configuration
type: boolean
default: false
show_subquestion_if: true
group: "Crossplane"
subquestions:
- variable: leaderElection
label: leaderElection
description: "Enable leader election for Crossplane Managers pod"
type: boolean
default: true
required: false
group: "Crossplane"
- variable: deploymentStrategy
label: deploymentStrategy
description: "The deployment strategy for the Crossplane and RBAC Manager (if enabled) pods"
type: enum
default: "RollingUpdate"
options:
- "RollingUpdate"
- "Recreate"
required: true
group: "Crossplane"
- variable: priorityClassName
label: priorityClassName
description: "Priority class name for Crossplane and RBAC Manager (if enabled) pods"
type: string
required: false
group: "Crossplane"
- variable: metrics.enabled
label: metrics.enabled
description: "Expose Crossplane and RBAC Manager metrics endpoint"
type: boolean
required: false
group: "Crossplane"
# Basic Crossplane RBAC Manager configuration
- variable: rbacManager.deploy
label: rbacManager.deploy
description: "Deploy RBAC Manager"
type: boolean
default: true
required: true
group: "Crossplane RBAC Manager"
- variable: rbacManager.replicas
label: rbacManager.replicas
description: "The number of replicas to run for the RBAC Manager pods"
type: int
default: 1
required: true
group: "Crossplane RBAC Manager"
# Advanced Crossplane RBAC Manager configuration
- variable: advancedRBACManagerConfiguration
description: View advanced configuration settings
label: View advanced configuration
type: boolean
default: false
show_subquestion_if: true
group: "Crossplane RBAC Manager"
subquestions:
- variable: rbacManager.leaderElection
label: rbacManager.leaderElection
description: "Enable leader election for RBAC Managers pod"
type: boolean
default: true
group: "Crossplane RBAC Manager"
- variable: rbacManager.managementPolicy
label: rbacManager.managementPolicy
description: RBAC manager permissions. 'All' enables management for every Crossplane controller and user role. 'Basic' enables management just for Crossplane controller roles and the crossplane-admin, crossplane-edit, and crossplane-view user roles.
type: enum
default: "Basic"
options:
- "Basic"
- "All"
required: true
group: "Crossplane RBAC Manager"
- variable: rbacManager.skipAggregatedClusterRoles
label: rbacManager.skipAggregatedClusterRoles
description: "Opt out of deploying aggregated ClusterRoles"
type: boolean
default: true
group: "Crossplane RBAC Manager"
# Basic Package configuration
- variable: provider.packages
label: provider.packages
description: List of Provider packages to install with Crossplane. Select 'Edit as YAML' for the best editing experience.
type: string
required: false
group: "Packages"
- variable: configuration.packages
label: configuration.packages
description: List of Configuration packages to install with Crossplane. Select 'Edit as YAML' for the best editing experience.
type: string
required: false
group: "Packages"
# Advanced Package configuration
- variable: advancedPackageConfiguration
description: View advanced configuration settings
label: View advanced configuration
type: boolean
default: false
show_subquestion_if: true
group: "Packages"
subquestions:
- variable: packageCache.sizeLimit
label: packageCache.sizeLimit
description: "Size limit for package cache. If medium is Memory then maximum usage would be the minimum of this value the sum of all memory limits on containers in the Crossplane pod"
type: string
default: "5Mi"
group: "Packages"
- variable: packageCache.medium
label: packageCache.medium
description: "Storage medium for package cache. Memory means volume will be backed by tmpfs, which can be useful for development"
type: string
group: "Packages"
- variable: packageCache.pvc
label: packageCache.pvc
description: "Name of the PersistentVolumeClaim to be used as the package cache. Providing a value will cause the default emptyDir volume to not be mounted"
type: string
group: "Packages"
# Basic XGQL configuration
- variable: xgql.config.debugMode
label: xgql.config.debugMode
description: "Enable debug mode for XGQL"
type: boolean
default: false
group: "XGQL"
# Advanced Crossplane configuration
- variable: advancedXGQLConfiguration
description: View advanced configuration settings
label: View advanced configuration
type: boolean
default: false
show_subquestion_if: true
group: "XGQL"
subquestions:
- variable: xgql.metrics.enabled
label: xgql.metrics.enabled
description: "Expose XGQL metrics endpoint"
type: boolean
required: false
group: "XGQL"
# Basic Agent configuration
- variable: agent.config.debugMode
label: agent.config.debugMode
description: "Enable debug mode for Upbound Agent"
type: boolean
default: false
group: "Upbound Agent"
# Basic Bootstrapper configuration
- variable: bootstrapper.config.debugMode
label: bootstrapper.config.debugMode
description: "Enable debug mode for Bootstrapper"
type: boolean
default: false
group: "Bootstrapper"

View File

@ -0,0 +1,15 @@
By proceeding, you are accepting to comply with terms and conditions in https://licenses.upbound.io/upbound-software-license.html
✨ Thank you for installing Universal Crossplane!
{{- if or (eq .Values.upbound.controlPlane.permission "view") (eq .Values.upbound.controlPlane.permission "edit") }}
🚀 You can now connect your cluster to Upbound Cloud!
Example command:
{{ if eq .Values.upbound.controlPlane.permission "edit" }}
$ up cloud controlplane attach <control plane name> | \
up uxp connect --token-secret-name {{ .Values.upbound.controlPlane.tokenSecretName }} --namespace {{ .Release.Namespace }} -
{{- else if eq .Values.upbound.controlPlane.permission "view" }}
$ up cloud controlplane attach --view-only <control plane name> | \
up uxp connect --token-secret-name {{ .Values.upbound.controlPlane.tokenSecretName }} --namespace {{ .Release.Namespace }} -
{{- end }}
{{- end }}

View File

@ -0,0 +1,21 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Common labels
*/}}
{{- define "labels" -}}
helm.sh/chart: {{ include "chart" . }}
{{ include "selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "selectorLabels" -}}
app.kubernetes.io/name: {{ include "name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}

View File

@ -0,0 +1,21 @@
{{/* vim: set filetype=mustache: */}}
{{- define "bootstrapper-name" -}}
{{- "upbound-bootstrapper" -}}
{{- end -}}
{{/*
Labels - bootstrapper
*/}}
{{- define "labelsBootstrapper" -}}
{{ include "labels" . }}
app.kubernetes.io/component: bootstrapper
{{- end }}
{{/*
Selector labels - bootstrapper
*/}}
{{- define "selectorLabelsBootstrapper" -}}
{{ include "selectorLabels" . }}
app.kubernetes.io/component: bootstrapper
{{- end }}

View File

@ -0,0 +1,26 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "bootstrapper-name" . }}
labels:
{{- include "labelsBootstrapper" . | nindent 4 }}
rules:
# Bootstrapper needs to identify the cluster uniquely and it does that by using
# UID of kube-system namespace.
- apiGroups:
- ""
resources:
- namespaces
resourceNames:
- "kube-system"
verbs:
- "get"
# Controller-runtime requires watch and list permissions to build its resource
# cache of the kind that any client query is made for.
- apiGroups:
- ""
resources:
- namespaces
verbs:
- "list"
- "watch"

View File

@ -0,0 +1,14 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "bootstrapper-name" . }}
labels:
{{- include "labelsBootstrapper" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "bootstrapper-name" . }}
subjects:
- kind: ServiceAccount
name: {{ template "bootstrapper-name" . }}
namespace: {{ .Release.Namespace }}

View File

@ -0,0 +1,64 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "bootstrapper-name" . }}
labels:
{{- include "labelsBootstrapper" . | nindent 4 }}
spec:
replicas: 1
selector:
matchLabels:
{{- include "selectorLabelsBootstrapper" . | nindent 6 }}
template:
metadata:
labels:
{{- include "selectorLabelsBootstrapper" . | nindent 8 }}
spec:
serviceAccountName: {{ template "bootstrapper-name" . }}
{{- if .Values.billing.awsMarketplace.enabled }}
securityContext:
# Providing this is not required for 1.19 or later clusters.
# See https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-technical-overview.html
fsGroup: 1337
{{- end }}
{{- if .Values.imagePullSecrets }}
imagePullSecrets:
{{- range $index, $secret := .Values.imagePullSecrets }}
- name: {{ $secret }}
{{- end }}
{{ end }}
containers:
- name: bootstrapper
image: "{{ .Values.bootstrapper.image.repository }}:{{ .Values.bootstrapper.image.tag }}"
args:
- start
- --namespace
- {{ .Release.Namespace }}
- --upbound-api-url
- {{ .Values.upbound.apiURL }}
- --upbound-token-secret
- {{ .Values.upbound.controlPlane.tokenSecretName }}
- --agent-manifest
- {{ include "agent-spec" . | b64enc }}
- --controller
- upbound-agent
- --controller
- tls-secrets
{{- if .Values.billing.awsMarketplace.enabled }}
- --controller
- aws-marketplace
{{- end }}
{{- if .Values.bootstrapper.config.debugMode }}
- "--debug"
{{- end }}
{{- range $arg := .Values.bootstrapper.config.args }}
- {{ $arg }}
{{- end }}
env:
{{- range $key, $value := .Values.bootstrapper.config.envVars }}
- name: {{ $key | replace "." "_" }}
value: {{ $value | quote }}
{{- end}}
imagePullPolicy: {{ .Values.bootstrapper.image.pullPolicy }}
resources:
{{- toYaml .Values.bootstrapper.resources | nindent 12 }}

View File

@ -0,0 +1,28 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "bootstrapper-name" . }}
labels:
{{- include "labelsBootstrapper" . | nindent 4 }}
rules:
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "update", "patch", "delete"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["watch", "list"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "update", "patch"]
resourceNames:
- uxp-ca
- upbound-agent-public-certs
- upbound-agent-tls
- xgql-tls
- {{ .Values.upbound.controlPlane.tokenSecretName }}
{{- if .Values.billing.awsMarketplace.enabled }}
- upbound-entitlement
{{- end}}
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["create", "update", "watch", "list"]

View File

@ -0,0 +1,14 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "bootstrapper-name" . }}
labels:
{{- include "labelsBootstrapper" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "bootstrapper-name" . }}
subjects:
- kind: ServiceAccount
name: {{ template "bootstrapper-name" . }}
namespace: {{ .Release.Namespace }}

View File

@ -0,0 +1,9 @@
{{- if .Values.billing.awsMarketplace.enabled }}
apiVersion: v1
kind: Secret
metadata:
name: upbound-entitlement
labels:
{{- include "labelsBootstrapper" . | nindent 4 }}
type: Opaque
{{- end }}

View File

@ -0,0 +1,10 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "bootstrapper-name" . }}
{{- if and .Values.billing.awsMarketplace.enabled .Values.billing.awsMarketplace.iamRoleARN }}
annotations:
eks.amazonaws.com/role-arn: {{ .Values.billing.awsMarketplace.iamRoleARN | quote }}
{{- end }}
labels:
{{- include "labelsBootstrapper" . | nindent 4 }}

View File

@ -0,0 +1,7 @@
apiVersion: v1
kind: Secret
metadata:
name: uxp-ca
labels:
{{- include "labels" . | nindent 4 }}
type: Opaque

View File

@ -0,0 +1,11 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: universal-crossplane-config
labels:
{{- include "labelsBootstrapper" . | nindent 4 }}
data:
crossplaneVersion: {{ (trimPrefix "v" .Values.image.tag) }}
xgqlVersion: {{ (trimPrefix "v" .Values.xgql.image.tag) }}
agentVersion: {{ (trimPrefix "v" .Values.agent.image.tag) }}
uxpVersion: {{ .Chart.Version }}

View File

@ -0,0 +1,8 @@
Release: {{.Release.Name}}
Chart Name: {{.Chart.Name}}
Chart Description: {{.Chart.Description}}
Chart Version: {{.Chart.Version}}
Chart Application Version: {{.Chart.AppVersion}}
Kube Version: {{.Capabilities.KubeVersion}}

View File

@ -0,0 +1,14 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}

View File

@ -0,0 +1,93 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "name" . }}
labels:
app: {{ template "name" . }}
chart: {{ template "chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
aggregationRule:
clusterRoleSelectors:
- matchLabels:
rbac.crossplane.io/aggregate-to-crossplane: "true"
rules: []
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "name" . }}:system:aggregate-to-crossplane
labels:
app: {{ template "name" . }}
chart: {{ template "chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
crossplane.io/scope: "system"
rbac.crossplane.io/aggregate-to-crossplane: "true"
rules:
- apiGroups:
- ""
resources:
- events
verbs:
- create
- update
- patch
- delete
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- "*"
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- create
- update
- patch
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- "*"
- apiGroups:
- apiextensions.crossplane.io
- pkg.crossplane.io
resources:
- "*"
verbs:
- "*"
- apiGroups:
- extensions
- apps
resources:
- deployments
verbs:
- get
- list
- create
- update
- patch
- delete
- watch
- apiGroups:
- ""
- coordination.k8s.io
resources:
- configmaps
- leases
verbs:
- get
- list
- create
- update
- patch
- watch
- delete

View File

@ -0,0 +1,17 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "name" . }}
labels:
app: {{ template "name" . }}
chart: {{ template "chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "name" . }}
subjects:
- kind: ServiceAccount
name: {{ template "name" . }}
namespace: {{ .Release.Namespace }}

View File

@ -0,0 +1,106 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "name" . }}
labels:
app: {{ template "name" . }}
chart: {{ template "chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
replicas: {{ .Values.replicas }}
selector:
matchLabels:
app: {{ template "name" . }}
release: {{ .Release.Name }}
strategy:
type: {{ .Values.deploymentStrategy }}
template:
metadata:
{{- if .Values.metrics.enabled }}
annotations:
prometheus.io/path: /metrics
prometheus.io/port: "8080"
prometheus.io/scrape: "true"
{{- end }}
labels:
app: {{ template "name" . }}
release: {{ .Release.Name }}
spec:
securityContext:
{{- toYaml .Values.podSecurityContextCrossplane | nindent 8 }}
{{- if .Values.priorityClassName }}
priorityClassName: {{ .Values.priorityClassName | quote }}
{{- end }}
serviceAccountName: {{ template "name" . }}
initContainers:
- image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
args:
- core
- init
{{- range $arg := .Values.provider.packages }}
- --provider
- "{{ $arg }}"
{{- end }}
{{- range $arg := .Values.configuration.packages }}
- --configuration
- "{{ $arg }}"
{{- end }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
name: {{ .Chart.Name }}-init
resources:
{{- toYaml .Values.resourcesCrossplane | nindent 12 }}
securityContext:
{{- toYaml .Values.securityContextCrossplane | nindent 12 }}
containers:
- image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
args:
- core
- start
{{- range $arg := .Values.args }}
- {{ $arg }}
{{- end }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
name: {{ .Chart.Name }}
resources:
{{- toYaml .Values.resourcesCrossplane | nindent 12 }}
{{- if .Values.metrics.enabled }}
ports:
- name: metrics
containerPort: 8080
{{- end }}
securityContext:
{{- toYaml .Values.securityContextCrossplane | nindent 12 }}
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: LEADER_ELECTION
value: "{{ .Values.leaderElection }}"
{{- range $key, $value := .Values.extraEnvVarsCrossplane }}
- name: {{ $key | replace "." "_" }}
value: {{ $value | quote }}
{{- end}}
volumeMounts:
- mountPath: /cache
name: package-cache
volumes:
- name: package-cache
{{- if .Values.packageCache.pvc }}
persistentVolumeClaim:
claimName: {{ .Values.packageCache.pvc }}
{{- else }}
emptyDir:
medium: {{ .Values.packageCache.medium }}
sizeLimit: {{ .Values.packageCache.sizeLimit }}
{{- end }}
{{- if .Values.nodeSelector }}
nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }}
{{- end }}
{{- if .Values.tolerations }}
tolerations: {{ toYaml .Values.tolerations | nindent 8 }}
{{- end }}
{{- if .Values.affinity }}
affinity: {{ toYaml .Values.affinity | nindent 8 }}
{{- end }}

View File

@ -0,0 +1,16 @@
{{- if .Values.rbacManager.deploy }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "name" . }}:allowed-provider-permissions
labels:
app: {{ template "name" . }}
chart: {{ template "chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
aggregationRule:
clusterRoleSelectors:
- matchLabels:
rbac.crossplane.io/aggregate-to-allowed-provider-permissions: "true"
{{- end}}

View File

@ -0,0 +1,94 @@
{{- if .Values.rbacManager.deploy }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "name" . }}-rbac-manager
labels:
app: {{ template "name" . }}
chart: {{ template "chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
rules:
- apiGroups:
- ""
resources:
- events
verbs:
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- namespaces
- serviceaccounts
verbs:
- get
- list
- watch
- apiGroups:
- apiextensions.crossplane.io
resources:
- compositeresourcedefinitions
verbs:
- get
- list
- watch
- apiGroups:
- pkg.crossplane.io
resources:
- providerrevisions
verbs:
- get
- list
- watch
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- list
- watch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterroles
- roles
verbs:
- get
- list
- watch
- create
- update
- patch
# The RBAC manager may grant access it does not have.
- escalate
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterroles
verbs:
- bind
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterrolebindings
verbs:
- "*"
- apiGroups:
- ""
- coordination.k8s.io
resources:
- configmaps
- leases
verbs:
- get
- list
- create
- update
- patch
- watch
- delete
{{- end}}

View File

@ -0,0 +1,19 @@
{{- if .Values.rbacManager.deploy }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "name" . }}-rbac-manager
labels:
app: {{ template "name" . }}
chart: {{ template "chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "name" . }}-rbac-manager
subjects:
- kind: ServiceAccount
name: rbac-manager
namespace: {{ .Release.Namespace }}
{{- end}}

View File

@ -0,0 +1,87 @@
{{- if .Values.rbacManager.deploy }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "name" . }}-rbac-manager
labels:
app: {{ template "name" . }}-rbac-manager
chart: {{ template "chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
replicas: {{ .Values.rbacManager.replicas }}
selector:
matchLabels:
app: {{ template "name" . }}-rbac-manager
release: {{ .Release.Name }}
strategy:
type: {{ .Values.deploymentStrategy }}
template:
metadata:
{{- if .Values.metrics.enabled }}
annotations:
prometheus.io/path: /metrics
prometheus.io/port: "8080"
prometheus.io/scrape: "true"
{{- end }}
labels:
app: {{ template "name" . }}-rbac-manager
release: {{ .Release.Name }}
spec:
securityContext:
{{- toYaml .Values.podSecurityContextRBACManager | nindent 8 }}
{{- if .Values.priorityClassName }}
priorityClassName: {{ .Values.priorityClassName | quote }}
{{- end }}
serviceAccountName: rbac-manager
initContainers:
- image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
args:
- rbac
- init
imagePullPolicy: {{ .Values.image.pullPolicy }}
name: {{ .Chart.Name }}-init
resources:
{{- toYaml .Values.resourcesRBACManager | nindent 12 }}
securityContext:
{{- toYaml .Values.securityContextRBACManager | nindent 12 }}
containers:
- image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
args:
- rbac
- start
{{- if .Values.rbacManager.managementPolicy }}
- --manage={{ .Values.rbacManager.managementPolicy }}
{{- end }}
{{- range $arg := .Values.rbacManager.args }}
- {{ $arg }}
{{- end }}
- --provider-clusterrole={{ template "name" .}}:allowed-provider-permissions
imagePullPolicy: {{ .Values.image.pullPolicy }}
name: {{ .Chart.Name }}
resources:
{{- toYaml .Values.resourcesRBACManager | nindent 12 }}
{{- if .Values.metrics.enabled }}
ports:
- name: metrics
containerPort: 8080
{{- end }}
securityContext:
{{- toYaml .Values.securityContextRBACManager | nindent 12 }}
env:
- name: LEADER_ELECTION
value: "{{ .Values.rbacManager.leaderElection }}"
{{- range $key, $value := .Values.extraEnvVarsRBACManager }}
- name: {{ $key | replace "." "_" }}
value: {{ $value | quote }}
{{- end}}
{{- if .Values.rbacManager.nodeSelector }}
nodeSelector: {{ toYaml .Values.rbacManager.nodeSelector | nindent 8 }}
{{- end }}
{{- if .Values.rbacManager.tolerations }}
tolerations: {{ toYaml .Values.rbacManager.tolerations | nindent 8 }}
{{- end }}
{{- if .Values.rbacManager.affinity }}
affinity: {{ toYaml .Values.rbacManager.affinity | nindent 8 }}
{{- end }}
{{- end}}

View File

@ -0,0 +1,279 @@
{{- if .Values.rbacManager.deploy }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "name" . }}-admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "name" . }}-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: {{ template "name" . }}:masters
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "name" . }}-admin
labels:
app: {{ template "name" . }}
chart: {{ template "chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
aggregationRule:
clusterRoleSelectors:
- matchLabels:
rbac.crossplane.io/aggregate-to-admin: "true"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "name" . }}-edit
labels:
app: {{ template "name" . }}
chart: {{ template "chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
aggregationRule:
clusterRoleSelectors:
- matchLabels:
rbac.crossplane.io/aggregate-to-edit: "true"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "name" . }}-view
labels:
app: {{ template "name" . }}
chart: {{ template "chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
aggregationRule:
clusterRoleSelectors:
- matchLabels:
rbac.crossplane.io/aggregate-to-view: "true"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "name" . }}-browse
labels:
app: {{ template "name" . }}
chart: {{ template "chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
aggregationRule:
clusterRoleSelectors:
- matchLabels:
rbac.crossplane.io/aggregate-to-browse: "true"
{{- if not .Values.rbacManager.skipAggregatedClusterRoles }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "name" . }}:aggregate-to-admin
labels:
rbac.crossplane.io/aggregate-to-admin: "true"
app: {{ template "name" . }}
chart: {{ template "chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
rules:
# Crossplane administrators have access to view events.
- apiGroups: [""]
resources: [events]
verbs: [get, list, watch]
# Crossplane administrators must create provider credential secrets, and may
# need to read or otherwise interact with connection secrets. They may also need
# to create or annotate namespaces.
- apiGroups: [""]
resources: [secrets, namespaces]
verbs: ["*"]
# Crossplane administrators have access to view the roles that they may be able
# to grant to other subjects.
- apiGroups: [rbac.authorization.k8s.io]
resources: [clusterroles, roles]
verbs: [get, list, watch]
# Crossplane administrators have access to grant the access they have to other
# subjects.
- apiGroups: [rbac.authorization.k8s.io]
resources: [clusterrolebindings, rolebindings]
verbs: ["*"]
# Crossplane administrators have full access to built in Crossplane types.
- apiGroups:
- apiextensions.crossplane.io
resources: ["*"]
verbs: ["*"]
- apiGroups:
- pkg.crossplane.io
resources: [providers, configurations, providerrevisions, configurationrevisions]
verbs: ["*"]
# Crossplane administrators have access to view CRDs in order to debug XRDs.
- apiGroups: [apiextensions.k8s.io]
resources: [customresourcedefinitions]
verbs: [get, list, watch]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "name" . }}:aggregate-to-edit
labels:
rbac.crossplane.io/aggregate-to-edit: "true"
app: {{ template "name" . }}
chart: {{ template "chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
rules:
# Crossplane editors have access to view events.
- apiGroups: [""]
resources: [events]
verbs: [get, list, watch]
# Crossplane editors must create provider credential secrets, and may need to
# read or otherwise interact with connection secrets.
- apiGroups: [""]
resources: [secrets]
verbs: ["*"]
# Crossplane editors may see which namespaces exist, but not edit them.
- apiGroups: [""]
resources: [namespaces]
verbs: [get, list, watch]
# Crossplane editors have full access to built in Crossplane types.
- apiGroups:
- apiextensions.crossplane.io
resources: ["*"]
verbs: ["*"]
- apiGroups:
- pkg.crossplane.io
resources: [providers, configurations, providerrevisions, configurationrevisions]
verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "name" . }}:aggregate-to-view
labels:
rbac.crossplane.io/aggregate-to-view: "true"
app: {{ template "name" . }}
chart: {{ template "chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
rules:
# Crossplane viewers have access to view events.
- apiGroups: [""]
resources: [events]
verbs: [get, list, watch]
# Crossplane viewers may see which namespaces exist.
- apiGroups: [""]
resources: [namespaces]
verbs: [get, list, watch]
# Crossplane viewers have read-only access to built in Crossplane types.
- apiGroups:
- apiextensions.crossplane.io
resources: ["*"]
verbs: [get, list, watch]
- apiGroups:
- pkg.crossplane.io
resources: [providers, configurations, providerrevisions, configurationrevisions]
verbs: [get, list, watch]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "name" . }}:aggregate-to-browse
labels:
rbac.crossplane.io/aggregate-to-browse: "true"
app: {{ template "name" . }}
chart: {{ template "chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
rules:
# Crossplane browsers have access to view events.
- apiGroups: [""]
resources: [events]
verbs: [get, list, watch]
# Crossplane browsers have read-only access to compositions and XRDs. This
# allows them to discover and select an appropriate composition when creating a
# resource claim.
- apiGroups:
- apiextensions.crossplane.io
resources: ["*"]
verbs: [get, list, watch]
{{- if .Values.rbacManager.managementPolicy }}
---
# The below ClusterRoles are aggregated to the namespaced RBAC roles created by
# the Crossplane RBAC manager when it is running in --manage=All mode.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "name" . }}:aggregate-to-ns-admin
labels:
rbac.crossplane.io/aggregate-to-ns-admin: "true"
rbac.crossplane.io/base-of-ns-admin: "true"
app: {{ template "name" . }}
chart: {{ template "chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
rules:
# Crossplane namespace admins have access to view events.
- apiGroups: [""]
resources: [events]
verbs: [get, list, watch]
# Crossplane namespace admins may need to read or otherwise interact with
# resource claim connection secrets.
- apiGroups: [""]
resources: [secrets]
verbs: ["*"]
# Crossplane namespace admins have access to view the roles that they may be
# able to grant to other subjects.
- apiGroups: [rbac.authorization.k8s.io]
resources: [roles]
verbs: [get, list, watch]
# Crossplane namespace admins have access to grant the access they have to other
# subjects.
- apiGroups: [rbac.authorization.k8s.io]
resources: [rolebindings]
verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "name" . }}:aggregate-to-ns-edit
labels:
rbac.crossplane.io/aggregate-to-ns-edit: "true"
rbac.crossplane.io/base-of-ns-edit: "true"
app: {{ template "name" . }}
chart: {{ template "chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
rules:
# Crossplane namespace editors have access to view events.
- apiGroups: [""]
resources: [events]
verbs: [get, list, watch]
# Crossplane namespace editors may need to read or otherwise interact with
# resource claim connection secrets.
- apiGroups: [""]
resources: [secrets]
verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "name" . }}:aggregate-to-ns-view
labels:
rbac.crossplane.io/aggregate-to-ns-view: "true"
rbac.crossplane.io/base-of-ns-view: "true"
app: {{ template "name" . }}
chart: {{ template "chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
rules:
# Crossplane namespace viewers have access to view events.
- apiGroups: [""]
resources: [events]
verbs: [get, list, watch]
{{- end }}
{{- end }}
{{- end }}

View File

@ -0,0 +1,11 @@
{{- if .Values.rbacManager.deploy }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: rbac-manager
labels:
app: {{ template "name" . }}
chart: {{ template "chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- end}}

View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "name" . }}
labels:
app: {{ template "name" . }}
chart: {{ template "chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- if .Values.imagePullSecrets }}
imagePullSecrets:
{{- range $index, $secret := .Values.imagePullSecrets }}
- name: {{ $secret }}
{{- end }}
{{ end }}

View File

@ -0,0 +1,87 @@
{{- define "agent-spec" -}}
replicas: 1
selector:
matchLabels:
{{- include "selectorLabelsAgent" . | nindent 8 }}
template:
metadata:
labels:
{{- include "selectorLabelsAgent" . | nindent 10 }}
spec:
serviceAccountName: {{ template "agent-name" . }}
{{- if .Values.imagePullSecrets }}
imagePullSecrets:
{{- range $index, $secret := .Values.imagePullSecrets }}
- name: {{ $secret }}
{{- end }}
{{ end }}
containers:
- name: agent
image: "{{ .Values.agent.image.repository }}:{{ .Values.agent.image.tag }}"
args:
- agent
- --tls-cert-file
- /etc/certs/upbound-agent/tls.crt
- --tls-key-file
- /etc/certs/upbound-agent/tls.key
- --xgql-ca-bundle-file
- /etc/certs/upbound-agent/ca.crt
- --nats-endpoint
- nats://{{ .Values.upbound.connectHost }}:{{ .Values.upbound.connectPort | default "443" }}
- --upbound-api-endpoint
- {{ .Values.upbound.apiURL }}
{{- if .Values.agent.config.debugMode }}
- "--debug"
{{- end }}
{{- range $arg := .Values.agent.config.args }}
- {{ $arg }}
{{- end }}
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: CONTROL_PLANE_TOKEN
valueFrom:
secretKeyRef:
name: {{ .Values.upbound.controlPlane.tokenSecretName }}
key: token
{{- range $key, $value := .Values.agent.config.envVars }}
- name: {{ $key | replace "." "_" }}
value: {{ $value | quote }}
{{- end}}
imagePullPolicy: {{ .Values.agent.image.pullPolicy }}
ports:
- name: agent
containerPort: 6443
protocol: TCP
resources:
{{- toYaml .Values.agent.resources | nindent 14 }}
readinessProbe:
httpGet:
scheme: HTTPS
path: /readyz
port: 6443
initialDelaySeconds: 5
timeoutSeconds: 5
periodSeconds: 5
failureThreshold: 3
livenessProbe:
httpGet:
scheme: HTTPS
path: /livez
port: 6443
initialDelaySeconds: 10
timeoutSeconds: 5
periodSeconds: 30
failureThreshold: 5
volumeMounts:
- mountPath: /etc/certs/upbound-agent
name: certs
readOnly: true
volumes:
- name: certs
secret:
defaultMode: 420
secretName: upbound-agent-tls
{{- end }}

View File

@ -0,0 +1,22 @@
{{/* vim: set filetype=mustache: */}}
{{- define "agent-name" -}}
{{- "upbound-agent" -}}
{{- end -}}
{{/*
Labels - agent
*/}}
{{- define "labelsAgent" -}}
{{ include "labels" . }}
app.kubernetes.io/component: agent
{{- end }}
{{/*
Selector labels - agent
*/}}
{{- define "selectorLabelsAgent" -}}
{{ include "selectorLabels" . }}
app.kubernetes.io/component: agent
{{- end }}

View File

@ -0,0 +1,40 @@
{{- if or (eq .Values.upbound.controlPlane.permission "view") (eq .Values.upbound.controlPlane.permission "edit") }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "agent-name" . }}
labels:
{{- include "labelsAgent" . | nindent 4 }}
rules:
- apiGroups: [""]
resources: ["namespaces"]
resourceNames: ["kube-system"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "agent-name" . }}-impersonator
labels:
{{- include "labelsAgent" . | nindent 4 }}
rules:
- apiGroups: [""]
resources: ["users"]
verbs: ["impersonate"]
resourceNames: ["upbound-cloud-impersonator"]
- apiGroups: ["authentication.k8s.io"]
resources: ["userextras/upbound-id"]
verbs: ["impersonate"]
- apiGroups: [""]
resources: ["groups"]
resourceNames:
# system:authenticated is required for calls to discovery API. Some Kubernetes
# clients like kubectl use it to figure out exactly which endpoints to call
# for given arguments.
- "system:authenticated"
- "upbound:view"
{{- if eq .Values.upbound.controlPlane.permission "edit" }}
- "upbound:edit"
{{- end }}
verbs: ["impersonate"]
{{- end }}

View File

@ -0,0 +1,34 @@
{{- if or (eq .Values.upbound.controlPlane.permission "view") (eq .Values.upbound.controlPlane.permission "edit") }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "name" . }}-view
labels:
{{- include "labelsAgent" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "name" . }}-view
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: upbound:view
{{- if eq .Values.upbound.controlPlane.permission "edit" }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "name" . }}-edit
labels:
{{- include "labelsAgent" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "name" . }}-edit
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: upbound:edit
{{- end }}
{{- end }}

View File

@ -0,0 +1,31 @@
{{- if or (eq .Values.upbound.controlPlane.permission "view") (eq .Values.upbound.controlPlane.permission "edit") }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "agent-name" . }}
labels:
{{- include "labelsAgent" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "agent-name" . }}
subjects:
- kind: ServiceAccount
name: {{ template "agent-name" . }}
namespace: {{ .Release.Namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "agent-name" . }}-impersonator
labels:
{{- include "labelsAgent" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "agent-name" . }}-impersonator
subjects:
- kind: ServiceAccount
name: {{ template "agent-name" . }}
namespace: {{ .Release.Namespace }}
{{- end }}

View File

@ -0,0 +1,66 @@
{{- if or (eq .Values.upbound.controlPlane.permission "view") (eq .Values.upbound.controlPlane.permission "edit") }}
# There are more permissions in upstream aggregated ClusterRoles than we'd like
# to have, so, we have our own ClusterRoles with only the permissions we need.
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "name" . }}:aggregate-to-view
labels:
rbac.crossplane.io/aggregate-to-view: "true"
{{- include "labelsAgent" . | nindent 4 }}
rules:
# Universal Crossplane viewers have access to view events.
- apiGroups: [""]
resources: [events]
verbs: [get, list, watch]
# Universal Crossplane viewers may see which namespaces exist.
- apiGroups: [""]
resources: [namespaces]
verbs: [get, list, watch]
# Universal Crossplane viewers may see CRDs installed in the cluster.
- apiGroups: [apiextensions.k8s.io]
resources: [customresourcedefinitions]
verbs: [get, list, watch]
# Universal Crossplane viewers have read-only access to built in Crossplane types.
- apiGroups:
- apiextensions.crossplane.io
resources: ["*"]
verbs: [get, list, watch]
- apiGroups:
- pkg.crossplane.io
resources: [providers, configurations, providerrevisions, configurationrevisions]
verbs: [get, list, watch]
{{- if eq .Values.upbound.controlPlane.permission "edit" }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "name" . }}:aggregate-to-edit
labels:
rbac.crossplane.io/aggregate-to-edit: "true"
{{- include "labelsAgent" . | nindent 4 }}
rules:
# Universal Crossplane editors have access to view events.
- apiGroups: [""]
resources: [events]
verbs: [get, list, watch]
# Universal Crossplane editors may see which namespaces exist, but not edit them.
- apiGroups: [""]
resources: [namespaces]
verbs: [get, list, watch]
# Universal Crossplane editors may see CRDs installed in the cluster.
- apiGroups: [apiextensions.k8s.io]
resources: [customresourcedefinitions]
verbs: [get, list, watch]
# Universal Crossplane editors have full access to built in Crossplane types.
- apiGroups:
- apiextensions.crossplane.io
resources: ["*"]
verbs: ["*"]
- apiGroups:
- pkg.crossplane.io
resources: [providers, configurations, providerrevisions, configurationrevisions]
verbs: ["*"]
{{- end }}
{{- end }}

View File

@ -0,0 +1,11 @@
{{- if .Values.upbound.controlPlane.token }}
apiVersion: v1
kind: Secret
metadata:
name: {{ .Values.upbound.controlPlane.tokenSecretName }}
labels:
{{- include "labels" . | nindent 4 }}
type: Opaque
data:
token: {{ .Values.upbound.controlPlane.token | b64enc | quote }}
{{- end }}

View File

@ -0,0 +1,66 @@
{{- if or (eq .Values.upbound.controlPlane.permission "view") (eq .Values.upbound.controlPlane.permission "edit") }}
---
# We need to be able to read universal-crossplane-config configmap in the namespace
# where UXP is deployed to provide version/configuration information.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "agent-name" . }}-uxp-config
labels:
{{- include "labelsAgent" . | nindent 4 }}
rules:
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["universal-crossplane-config"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "agent-name" . }}-uxp-config
labels:
{{- include "labelsAgent" . | nindent 4 }}
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: upbound:view
{{- if eq .Values.upbound.controlPlane.permission "edit" }}
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: upbound:edit
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "agent-name" . }}-uxp-config
{{- end }}
{{- if eq .Values.upbound.controlPlane.permission "edit" }}
---
# We need to be able to manage Secrets in the namespace where UXP is deployed
# so that Secrets pointed by ProviderConfig objects can be created by the agent.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "agent-name" . }}-secret
labels:
{{- include "labelsAgent" . | nindent 4 }}
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "agent-name" . }}-secret
labels:
{{- include "labelsAgent" . | nindent 4 }}
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: upbound:edit
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "agent-name" . }}-secret
{{- end }}

View File

@ -0,0 +1,16 @@
{{- if or (eq .Values.upbound.controlPlane.permission "view") (eq .Values.upbound.controlPlane.permission "edit") }}
apiVersion: v1
kind: Service
metadata:
name: {{ template "agent-name" . }}
labels:
{{- include "labelsAgent" . | nindent 4 }}
spec:
selector:
{{- include "selectorLabelsAgent" . | nindent 4 }}
ports:
- port: 6443
targetPort: 6443
protocol: TCP
name: https
{{- end }}

View File

@ -0,0 +1,8 @@
{{- if or (eq .Values.upbound.controlPlane.permission "view") (eq .Values.upbound.controlPlane.permission "edit") }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "agent-name" . }}
labels:
{{- include "labelsAgent" . | nindent 4 }}
{{- end }}

View File

@ -0,0 +1,9 @@
{{- if or (eq .Values.upbound.controlPlane.permission "view") (eq .Values.upbound.controlPlane.permission "edit") }}
apiVersion: v1
kind: Secret
metadata:
name: upbound-agent-tls
labels:
{{- include "labelsAgent" . | nindent 4 }}
type: Opaque
{{- end }}

View File

@ -0,0 +1,22 @@
{{/* vim: set filetype=mustache: */}}
{{- define "xgql-name" -}}
{{- "xgql" -}}
{{- end -}}
{{/*
Labels - xgql
*/}}
{{- define "labelsXgql" -}}
{{ include "labels" . }}
app.kubernetes.io/component: xgql
{{- end }}
{{/*
Selector labels - xgql
*/}}
{{- define "selectorLabelsXgql" -}}
{{ include "selectorLabels" . }}
app.kubernetes.io/component: xgql
{{- end }}

View File

@ -0,0 +1,63 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "xgql-name" . }}
labels:
{{- include "labelsXgql" . | nindent 4 }}
spec:
selector:
matchLabels:
{{- include "selectorLabelsXgql" . | nindent 6 }}
template:
metadata:
labels:
{{- include "selectorLabelsXgql" . | nindent 8 }}
spec:
serviceAccountName: {{ template "xgql-name" . }}
{{- if .Values.imagePullSecrets }}
imagePullSecrets:
{{- range $index, $secret := .Values.imagePullSecrets }}
- name: {{ $secret }}
{{- end }}
{{ end }}
containers:
- name: xgql
image: "{{ .Values.xgql.image.repository }}:{{ .Values.xgql.image.tag }}"
imagePullPolicy: {{ .Values.xgql.image.pullPolicy }}
resources:
{{- toYaml .Values.xgql.resources | nindent 12 }}
ports:
- name: https
containerPort: 8443
protocol: TCP
{{- if .Values.xgql.metrics.enabled }}
- name: metrics
containerPort: 8080
{{- end }}
args:
- --tls-key=/etc/certs/xgql/tls.key
- --tls-cert=/etc/certs/xgql/tls.crt
{{- if .Values.xgql.config.debugMode }}
- "--debug"
{{- end }}
{{- range $arg := .Values.xgql.config.args }}
- {{ $arg }}
{{- end }}
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
{{- range $key, $value := .Values.xgql.config.envVars }}
- name: {{ $key | replace "." "_" }}
value: {{ $value | quote }}
{{- end}}
volumeMounts:
- mountPath: /etc/certs/xgql
name: certs
readOnly: true
volumes:
- name: certs
secret:
defaultMode: 420
secretName: xgql-tls

View File

@ -0,0 +1,14 @@
apiVersion: v1
kind: Service
metadata:
name: {{ template "xgql-name" . }}
labels:
{{- include "labelsXgql" . | nindent 4 }}
spec:
selector:
{{- include "selectorLabelsXgql" . | nindent 4 }}
ports:
- port: 443
targetPort: https
protocol: TCP
name: https

View File

@ -0,0 +1,6 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "xgql-name" . }}
labels:
{{- include "labelsXgql" . | nindent 4 }}

View File

@ -0,0 +1,7 @@
apiVersion: v1
kind: Secret
metadata:
name: xgql-tls
labels:
{{- include "labelsXgql" . | nindent 4 }}
type: Opaque

View File

@ -0,0 +1,185 @@
nameOverride: "crossplane"
replicas: 1
deploymentStrategy: RollingUpdate
image:
repository: crossplane/crossplane
tag: v1.3.3
pullPolicy: IfNotPresent
nodeSelector: {}
tolerations: {}
affinity: {}
leaderElection: true
args: {}
provider:
packages: []
configuration:
packages: []
imagePullSecrets:
- dockerhub
rbacManager:
deploy: true
skipAggregatedClusterRoles: true
replicas: 1
managementPolicy: Basic
leaderElection: true
args: {}
nodeSelector: {}
tolerations: {}
affinity: {}
priorityClassName: ""
resourcesCrossplane:
limits:
cpu: 100m
memory: 512Mi
requests:
cpu: 100m
memory: 256Mi
securityContextCrossplane:
runAsUser: 65532
runAsGroup: 65532
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
packageCache:
medium: ""
sizeLimit: 5Mi
pvc: ""
resourcesRBACManager:
limits:
cpu: 100m
memory: 512Mi
requests:
cpu: 100m
memory: 256Mi
securityContextRBACManager:
runAsUser: 65532
runAsGroup: 65532
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
metrics:
enabled: false
# List of extra environment variables to set in the crossplane deployment.
# EXAMPLE
# extraEnvironmentVars:
# sample.key: value1
# ANOTHER.KEY: value2
# RESULT
# - name: sample_key
# value: "value1"
# - name: ANOTHER_KEY
# value: "value2"
extraEnvVarsCrossplane: {}
# List of extra environment variables to set in the crossplane rbac manager deployment.
# EXAMPLE
# extraEnvironmentVars:
# sample.key: value1
# ANOTHER.KEY: value2
# RESULT
# - name: sample_key
# value: "value1"
# - name: ANOTHER_KEY
# value: "value2"
extraEnvVarsRBACManager: {}
podSecurityContextCrossplane: {}
podSecurityContextRBACManager: {}
### Agent Values
upbound:
apiURL: "https://api.upbound.io"
connectHost: "connect.upbound.io"
controlPlane:
permission: edit
tokenSecretName: upbound-control-plane-token
token: ""
xgql:
image:
repository: upbound/xgql
tag: v0.1.5
pullPolicy: IfNotPresent
resources: {}
metrics:
enabled: false
config:
debugMode: false
args: []
envVars: {}
# List of extra environment variables to set in the xgql deployment.
# EXAMPLE
# envVars:
# sample.key: value1
# ANOTHER.KEY: value2
# RESULT
# - name: sample_key
# value: "value1"
# - name: ANOTHER_KEY
# value: "value2"
agent:
image:
repository: upbound/upbound-agent
tag: v1.3.3-up.1
pullPolicy: IfNotPresent
resources: {}
config:
debugMode: false
args: []
envVars: {}
# List of extra environment variables to set in the agent deployment.
# EXAMPLE
# envVars:
# sample.key: value1
# ANOTHER.KEY: value2
# RESULT
# - name: sample_key
# value: "value1"
# - name: ANOTHER_KEY
# value: "value2"
### Bootstrapper Values
bootstrapper:
image:
repository: upbound/uxp-bootstrapper
tag: v1.3.3-up.1
pullPolicy: IfNotPresent
resources: {}
config:
debugMode: false
args: []
envVars: {}
# List of extra environment variables to set in the bootstrapper deployment.
# EXAMPLE
# envVars:
# sample.key: value1
# ANOTHER.KEY: value2
# RESULT
# - name: sample_key
# value: "value1"
# - name: ANOTHER_KEY
# value: "value2"
billing:
awsMarketplace:
enabled: false
iamRoleARN: arn:aws:iam::<ACCOUNT_ID>:role/<ROLE_NAME>

View File

@ -0,0 +1,185 @@
nameOverride: "crossplane"
replicas: 1
deploymentStrategy: RollingUpdate
image:
repository: crossplane/crossplane
tag: %%CROSSPLANE_TAG%%
pullPolicy: IfNotPresent
nodeSelector: {}
tolerations: {}
affinity: {}
leaderElection: true
args: {}
provider:
packages: []
configuration:
packages: []
imagePullSecrets:
- dockerhub
rbacManager:
deploy: true
skipAggregatedClusterRoles: true
replicas: 1
managementPolicy: Basic
leaderElection: true
args: {}
nodeSelector: {}
tolerations: {}
affinity: {}
priorityClassName: ""
resourcesCrossplane:
limits:
cpu: 100m
memory: 512Mi
requests:
cpu: 100m
memory: 256Mi
securityContextCrossplane:
runAsUser: 65532
runAsGroup: 65532
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
packageCache:
medium: ""
sizeLimit: 5Mi
pvc: ""
resourcesRBACManager:
limits:
cpu: 100m
memory: 512Mi
requests:
cpu: 100m
memory: 256Mi
securityContextRBACManager:
runAsUser: 65532
runAsGroup: 65532
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
metrics:
enabled: false
# List of extra environment variables to set in the crossplane deployment.
# EXAMPLE
# extraEnvironmentVars:
# sample.key: value1
# ANOTHER.KEY: value2
# RESULT
# - name: sample_key
# value: "value1"
# - name: ANOTHER_KEY
# value: "value2"
extraEnvVarsCrossplane: {}
# List of extra environment variables to set in the crossplane rbac manager deployment.
# EXAMPLE
# extraEnvironmentVars:
# sample.key: value1
# ANOTHER.KEY: value2
# RESULT
# - name: sample_key
# value: "value1"
# - name: ANOTHER_KEY
# value: "value2"
extraEnvVarsRBACManager: {}
podSecurityContextCrossplane: {}
podSecurityContextRBACManager: {}
### Agent Values
upbound:
apiURL: "https://api.upbound.io"
connectHost: "connect.upbound.io"
controlPlane:
permission: edit
tokenSecretName: upbound-control-plane-token
token: ""
xgql:
image:
repository: upbound/xgql
tag: %%XGQL_TAG%%
pullPolicy: IfNotPresent
resources: {}
metrics:
enabled: false
config:
debugMode: false
args: []
envVars: {}
# List of extra environment variables to set in the xgql deployment.
# EXAMPLE
# envVars:
# sample.key: value1
# ANOTHER.KEY: value2
# RESULT
# - name: sample_key
# value: "value1"
# - name: ANOTHER_KEY
# value: "value2"
agent:
image:
repository: upbound/upbound-agent
tag: %%AGENT_TAG%%
pullPolicy: IfNotPresent
resources: {}
config:
debugMode: false
args: []
envVars: {}
# List of extra environment variables to set in the agent deployment.
# EXAMPLE
# envVars:
# sample.key: value1
# ANOTHER.KEY: value2
# RESULT
# - name: sample_key
# value: "value1"
# - name: ANOTHER_KEY
# value: "value2"
### Bootstrapper Values
bootstrapper:
image:
repository: upbound/uxp-bootstrapper
tag: %%BOOTSTRAPPER_TAG%%
pullPolicy: IfNotPresent
resources: {}
config:
debugMode: false
args: []
envVars: {}
# List of extra environment variables to set in the bootstrapper deployment.
# EXAMPLE
# envVars:
# sample.key: value1
# ANOTHER.KEY: value2
# RESULT
# - name: sample_key
# value: "value1"
# - name: ANOTHER_KEY
# value: "value2"
billing:
awsMarketplace:
enabled: false
iamRoleARN: arn:aws:iam::<ACCOUNT_ID>:role/<ROLE_NAME>

View File

@ -2363,6 +2363,50 @@ entries:
- assets/traefik/traefik-10.6.0.tgz
version: 10.6.0
universal-crossplane:
- annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: Upbound Universal Crossplane
catalog.cattle.io/release-name: universal-crossplane
apiVersion: v1
appVersion: 1.3.3001
created: "2021-11-30T15:24:49.873684+03:00"
description: Upbound Universal Crossplane (UXP) is Upbound's official enterprise-grade
distribution of Crossplane.
digest: fc71970731fa83222058b53b9f345558ec97f410e9ab965f761be24188560a85
home: https://upbound.io
icon: https://raw.githubusercontent.com/upbound/universal-crossplane/66ce9eb2c5a0c3af8ed7d19551a2c4d743b933b9/docs/media/logo.png
keywords:
- cloud
- infrastructure
- services
- application
- database
- cache
- bucket
- infra
- app
- ops
- oam
- gcp
- azure
- aws
- alibaba
- cloudsql
- rds
- s3
- azuredatabase
- asparadb
- gke
- aks
- eks
kubeVersion: '>= 1.15'
maintainers:
- email: info@upbound.io
name: Upbound Inc.
name: universal-crossplane
urls:
- assets/universal-crossplane/universal-crossplane-1.3.300101.tgz
version: 1.3.300101
- annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: Upbound Universal Crossplane

View File

@ -2,9 +2,9 @@
+++ charts/Chart.yaml
@@ -1,8 +1,13 @@
apiVersion: v1
-appVersion: 1.3.1-up.1
-appVersion: 1.3.3-up.1
-description: 'Upbound Universal Crossplane (UXP) is Upbound''s official enterprise-grade distribution of Crossplane. It''s fully compatible with upstream Crossplane, open source, capable of connecting to Upbound Cloud for real-time dashboard visibility, and maintained by Upbound. It''s the easiest way for both individual community members and enterprises to build their production control planes. '
+appVersion: 1.3.1001
+appVersion: 1.3.3001
+description: 'Upbound Universal Crossplane (UXP) is Upbound''s official enterprise-grade distribution of Crossplane.'
home: https://upbound.io
icon: https://raw.githubusercontent.com/upbound/universal-crossplane/66ce9eb2c5a0c3af8ed7d19551a2c4d743b933b9/docs/media/logo.png
@ -20,5 +20,5 @@
- email: info@upbound.io
name: Upbound Inc.
name: universal-crossplane
-version: 1.3.1-up.1
+version: 1.3.1001
-version: 1.3.3-up.1
+version: 1.3.3001

View File

@ -1,2 +1,2 @@
url: https://charts.upbound.io/stable/universal-crossplane-1.3.1-up.1.tgz
url: https://charts.upbound.io/stable/universal-crossplane-1.3.3-up.1.tgz
packageVersion: 01